diff options
Diffstat (limited to 'dev-lang/python/files/python-3.2-CVE-2013-2099.patch')
-rw-r--r-- | dev-lang/python/files/python-3.2-CVE-2013-2099.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/dev-lang/python/files/python-3.2-CVE-2013-2099.patch b/dev-lang/python/files/python-3.2-CVE-2013-2099.patch new file mode 100644 index 000000000000..9055a03dfc89 --- /dev/null +++ b/dev-lang/python/files/python-3.2-CVE-2013-2099.patch @@ -0,0 +1,51 @@ +# HG changeset patch +# User Antoine Pitrou <solipsis@pitrou.net> +# Date 1368892602 -7200 +# Sat May 18 17:56:42 2013 +0200 +# Branch 3.2 +# Node ID b9b521efeba385af0142988899a55de1c1c805c7 +# Parent 6255b40c6a6127933d8ea7a2b9de200f5a0e6154 +Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). + +diff --git a/Lib/ssl.py b/Lib/ssl.py +--- a/Lib/ssl.py ++++ b/Lib/ssl.py +@@ -108,9 +108,16 @@ + pass + + +-def _dnsname_to_pat(dn): ++def _dnsname_to_pat(dn, max_wildcards=1): + pats = [] + for frag in dn.split(r'.'): ++ if frag.count('*') > max_wildcards: ++ # Issue #17980: avoid denials of service by refusing more ++ # than one wildcard per fragment. A survery of established ++ # policy among SSL implementations showed it to be a ++ # reasonable choice. ++ raise CertificateError( ++ "too many wildcards in certificate DNS name: " + repr(dn)) + if frag == '*': + # When '*' is a fragment by itself, it matches a non-empty dotless + # fragment. +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -326,6 +326,17 @@ + self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') + self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') + ++ # Issue #17980: avoid denials of service by refusing more than one ++ # wildcard per fragment. ++ cert = {'subject': ((('commonName', 'a*b.com'),),)} ++ ok(cert, 'axxb.com') ++ cert = {'subject': ((('commonName', 'a*b.co*'),),)} ++ ok(cert, 'axxb.com') ++ cert = {'subject': ((('commonName', 'a*b*.com'),),)} ++ with self.assertRaises(ssl.CertificateError) as cm: ++ ssl.match_hostname(cert, 'axxbxxc.com') ++ self.assertIn("too many wildcards", str(cm.exception)) ++ + def test_server_side(self): + # server_hostname doesn't work for server sockets + ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |